Re: sleepycat db VS MySQL or postgres
On 1 July 2013 16:28, Jim Pazarena fqu...@paz.bz wrote: I could move to db5 or db6 OR MySQL, or even postgres. snip I have no experience with the c interface for postgres or mysql, but also, do not know how much the c interface has changed for sleepycat 5/6 compared to the c interface for db3, which I understand quite well. So I am prepared for a learning curve irrespective of which platform I select. Records do not exceed much more than 10-20,000, with key sizes not much wider than 16 bytes (ipv4), 13 (mac), 32 (ipv6). And various smaller key sizes. Suggestions would be very much appreciated. Jim - ultimately I'd recommend deciding which of the three you WANT to learn and then use it. I know nothing about db* but I use both MySQL and PostGreSQL on a regular basis. I like them both. I prefer the licence used by PostGreSQL, I prefer the PostGreSQL replication but I use whichever suits my needs. Some people are fanatical about one or the other, I say pick whichever you're more interested in and learn how to use it. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: latest git ports upgrade
On Nov 29, 2012 2:27 PM, Artifex Maximus artife...@gmail.com wrote: BTW, why system does not know user git_daemon when git_daemon was in passwd and master.passwd? I am using portmaster to upgrade my installed ports. I have had this exact issue when installing postgresql via portmaster. When it fails (and it almost always does for me on 8.3-RELEASE when installing 9.1) I use vipw to remove the entry for the pgsql user. It's a little tedious but not enough of a headache for me to file a PR or investigate. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Apache vs. nginx
On Jul 18, 2012 5:19 AM, Wojciech Puchar woj...@wojtek.tensor.gdynia.pl wrote: I'm the admin for a small hobby website (Stovebolt.com - about 7 million hits/mo). We're fixin to buy a new server, and since I have to start from scratch (install FreeBSD and all the needed ports), I'm wondering if anyone on this list has switched from Apache to nginx. it depends of your needs. This is a fantastic statement (I'm being serious, not facetious), because it really does. For specific purposes - serving static content with few bells and whistles, dedicated PHP application servers for custom apps and stuff like Drupal, I can't see ever going back to Apache. The nginx configs are too clean and too simple. For a large site with more complex authentication and access restriction needs that are handled by the web server, I wouldn't drift from Apache - not because I think nginx couldn't handle it but because I don't know if it could and because I am less comfortable with saying I did it properly with nginx than saying the same thing about Apache. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: mutual forwarders in ISC BIND
On Dec 28, 2011 9:26 PM, Victor Sudakov v...@mpeks.tomsk.su wrote: And the reason for the whole thread. One of the customers told me that 8.8.8.8 is faster than our own DNS servers which are located on the same 100 MBit/s LAN with them. I was shocked but it seems true, at least for the answers which are not yet cached. That actually makes perfect sense. That's one of the Google DNS IP addresses and they see a LOT of traffic, they're probably going to have the majority of the domains your clients want to look up (assuming your clients are like mine and most of their lookups are general web traffic) already in cache - your servers will need to go through the whole lookup process. Still, after a day or two of use, I would think your servers would have the bulk of what they needed in their caches. You may want to enable logging to see which domains are being looked up (if it won't break any applicable laws or policies) and do some spot-checks to see why they may not be in your cache. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
PF and dup-to?
Hi folks, I have the following pf.conf on FreeBSD 8.1-RELEASE *and* 8.2-RELEASE === set block-policy return set skip on lo int_if=bge1 ext_if=bge0 dup_if=dc0 # NAT rule nat on $ext_if from $int_if:network to any - ($ext_if) sticky-address # # Windows RDP redirection... # # we have to stick a pass rule inside the rdr rule. # I think it's nasty but it works. # rdr pass on $ext_if proto tcp from any to $ext_if port rdp - 10.201.201.101 # same for the Apache test instance rdr pass on $ext_if proto tcp from any to $ext_if port http - 10.201.201.102 # And to proxy web traffic from the inside # disabled temporarily # rdr pass on $int_if proto tcp from any to any port 80 - 127.0.0.1 port 3128 # block everything block in all block out all pass out quick on dc0 # allow everything from the NAT and any outbound connections from the FW pass in on $int_if from any to any keep state pass out on $ext_if from any to any keep state # # SSH # # allow inbound on the external interface pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state # # Windows Remote Desktop # pass out on $int_if proto tcp from any to 10.201.201.101 port rdp keep state # # Apache test instance # pass out on $int_if proto tcp from any to 10.201.201.102 port http keep state # # temp to allow any connections from the FW to come to the internal net; # note this is inclusive of the above two pass out rules pass out on $int_if from ($int_if) to 10.201.201.0/24 === When I change pass in on $int_if from any to any keep state to pass in on $int_if dup-to $dup_if from any to any keep state or pass in on $int_if dup-to ($dup_if 192.168.1.2) all all traffic to the outside stops passing. In addition, I get a TON of kernel messages: arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 152.10.2.222 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llianrfpor efsoorl v1e0:. 2c0a1n.'2t0 1a.l1l o cate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 152.10.2.222 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 152.10.2.222 My understanding of dup-to is that it should allow the interface to basically act as a span port - the original traffic gets passed via normal routing rules and a copy of each packet gets sent out $dup_if and should be visible via tcpdump on the other end but a tcpdump of dc0 doesn't see the traffic ever leaving the interface. Apparently I have a fundamental misunderstanding somewhere along the way or I've been looking at this for far too long over the last few days and I'm missing something extremely basic. I'll test with another laptop with a different configuration and reply back with any success I find. Thanks! kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: shopping for a new server
On Thu, Aug 25, 2011 at 12:45, Tim Kellers timot...@wallnet.com wrote: Dell 2500 from 10 years back is soon to be very dead in the machine room at work. I'm thinking about replacing it with a Rack mount Dell R610 has anyone used that and has compatibility issues or successes? I'll be using a RAID 5 setup and PERC version is up to 6i in this box, any issues with this PERC? The specs indicate R610 will way outperform the old 2500. The 2500 currently supports mail (sendmail), web, db (pgsql and mysql), samba, etc. I can't recommend the R610 highly enough. I have them as firewall/routers and DNS servers and they are fantastic. 8.2-RELEASE amd64. As Maxim pointed out, they use the mfi and bce drivers...I've added some Intel quad-port fibre NICs using the igb driver to the firewalls and haven't had any issues. My only suggestion is to pay attention to disk speed and RAID type if you're going to do heavy database work. I have a 200GB PostGreSQL database on RAID5 with 10K disks that crawls on data loads so I'm in the process of verifying to RAID 1+0 performance (we're neither CPU- nor memory-bound but the reported disk I/O via iostat is atrocious). dmesg for any of our R610s available on request if you want specifics. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN Setup
On Wed, May 11, 2011 at 09:11, Bill Tillman btillma...@yahoo.com wrote: 2. I have my OpenVPN process running on my FreeBSD server and wish to test it with the OpenVPN client for Windows on my laptop from an outside location. But the only outside locations I have access to right now are the local McDonalds and Starbucks which offer free WiFi via ATT's network. The trouble with this is they appear to be blocking almost everything at these locations with the exception of HTTP traffic. I can't make the connection and I cannot acces my LAN via SSH either. I don't think they are blocking any particular ports on these systems as much as they are just blocking everything except those ports which allow users to surf the web. The only thing which appears in the status window is that's it trying to make the handshake but then fails. I can ping my home server from these outside locations so I know my server is reachable. It's not uncommon for guest/visitor/unsponsored/portal wireless to only have ports 80 and 443 (sometimes only port 80) open. You can modify your server's config to use port 80 instead of 1194 (assuming you aren't running a webserver on that machine). Keep in mind that if you do that then before you can connect you'll have to: o change the config on the server o restart openvpn on the server o change the config on the client kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Fw: OpenVPN Setup
On Tue, May 10, 2011 at 19:19, Bill Tillman btillma...@yahoo.com wrote: OK I know I saw this somewhere but it eludes me now. I have generated the keys and certificates for the server and client on my FreeBSD server. I then copied them over to my Windows laptop but apparently cannot find where I'm supposed to copy them to. And my replies keep getting blocked by some kind of spam filter. The client conf and all certs can go in one directory under (32-bit Windows) C:\Program Files\OpenVPN\config\ (64-bit Windows) C:\Program Files(x86)\OpenVPN\config\ kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Fw: OpenVPN Setup
On Tue, May 10, 2011 at 19:59, Bill Tillman btillma...@yahoo.com wrote: This is a very frustrating process but I think I'm getting there. The files I created on the FreeBSD server which I copied over are: client1.crt client1.csr client1.key But the windows setup appears that it wants one of these files to be called client.ovpn. Of course I can't give all of them that name so I'm stumped again. You only need to copy the .crt and .key files, those are your key and certificate for the client named client1. They are used for authentication. The .ovpn file (.conf on Unix) contains the information OpenVPN needs to find your OpenVPN server. A good sample can be found at http://openvpn.net/index.php/open-source/documentation/howto.html#examples. For example, I give the following config to my clients: client dev tun proto udp remote put_your_server_ip_here 1194 resolv-retry infinite nobind persist-key persist-tun route-method exe route-delay 2 ca ca.crt cert client1.crt key client1.key # only uncomment if you setup tls-auth # tls-auth tls-auth.key 1 verb 3 comp-lzo Yours won't match exactly but it'll probably be awfully close. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Fw: OpenVPN Setup
On Tue, May 10, 2011 at 20:09, Kevin Wilcox kevin.wil...@gmail.com wrote: On Tue, May 10, 2011 at 19:59, Bill Tillman btillma...@yahoo.com wrote: client1.crt client1.csr client1.key You only need to copy the .crt and .key files, those are your key and certificate for the client named client1. One more comment there - you also need the ca.crt file. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN Setup
On Tue, May 10, 2011 at 20:50, Frank Griffith frnkgrf...@yahoo.com wrote: Anyway, I tried to start the OpenVPN server on the FreeBSD server and it will not start. I got this message: # openvpn /usr/local/etc/openvpn/server.conf Tue May 10 20:35:11 2011 OpenVPN 2.2.0 amd64-portbld-freebsd8.2 [SSL] [LZO2] [eurephia] built on May 10 2011 Tue May 10 20:35:11 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Tue May 10 20:35:11 2011 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Tue May 10 20:35:11 2011 Exiting If you edit /usr/local/etc/openvpn/server.conf, it will mention ca ca.crt cert server.crt dh dh1024.pem key server.key or something similar. Each of the files it references will need to be in /usr/local/etc/openvpn/. The error Cannot open dh1024.pem tells you what it's trying to open that it can't find. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On Tue, May 3, 2011 at 15:19, Geoff Roberts ge...@apro.com.au wrote: Is it possible to join two sites with the same subnet across a VPN? Yes. I have two sites that have the same subnet/mask. I need these two separated networks to behave as one across a VPN. That's understandable. You may want to consider breaking the /24 into two /25s, one at each site, and routing the connection instead but that's not necessary and you can indeed use a bridge with few issues. Happy to use either IPSec or OpenVPN to actually encrypt the traffic. We've done it as a demo of what you can do with OpenVPN, it's trivial once you get some configuration issues straight in your head (or that's how it worked for me). To bridge in OpenVPN, take a look at: http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dhcpd in vmware
On Wed, Apr 6, 2011 at 04:12, per...@pluto.rain.com wrote: Kevin Wilcox kevin.wil...@gmail.com wrote: If you're just using the 192.168.4.129 - 254 addresses I would change it to subnet 192.168.4.0 netmask 255.255.255.0 Shouldn't that be netmask 255.255.255.128? That's what I thought at first as well. Then I saw the router at 192.168.4.1, so it looks like they're using the entire /24 but only assigning addresses via DHCPd to the top half. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dhcpd in vmware
On Tue, Apr 5, 2011 at 08:29, xinyou yan yxy@gmail.com wrote: the dhcpd can't start in vmware : Here is my /usr/local/etc/hpcdd.conf Is the file named hpcdd.conf or is that a typo? subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.4.129 192.168.4.254; option routers 192.168.4.1; } That *should* throw an error due to the netmask. If you're just using the 192.168.4.129 - 254 addresses I would change it to subnet 192.168.4.0 netmask 255.255.255.0 Otherwise the netmask of 255.255.255.0 will lead dhcpd to think it should be offering for 192.168.0.1 - 192.168.0.254. when i use /usr/local/etc/isc-dhcpd start it shows : Please do not under any circumstances send requests for failed to start dhcpd Does it give any other errors? kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Installing squid, where should the directories be?
On Wed, Mar 9, 2011 at 10:27, Leslie Jensen les...@eskk.nu wrote: I'm installing squid on a new 8.2-RELEASE machine. Me too. I have /usr/local/squid as default directory and has made a separate mount point. Same here. As a general rule I like to give squid its own hard drive, or its own RAID. Giving it a separate partition on a single drive is useful if you're concerned about filling the disk but that *should* be controlled by the squid configuration file. Still, it's a good idea. When it comes to the cache and the logs directory I can see that the squid installation has created the /var/squid/cache directory. I've always seen /var/squid as being very Linux-centric. /usr/local/squid or /usr/local/var/squid makes more sense to me. When Googling this problem I see both the use of /var/squid and /usr/local/squid. Where should it be? Yep, ultimately it doesn't matter as long as you know where it is, you document where it is and your settings are correct in /usr/local/etc/squid/squid.conf. By default squid will use /var/squid. I always change it on install. When running the command squid -z to initialize the cache the cache directory must be there otherwise the command won't work. How should I set the permissions on /usr/local/squid and the directories below? I use 755, squid:squid. I could not find any advise in the Handbook. I'll be happy to help making a squid chapter. I'm writing some internal documentation on deploying pf + squid 2.7.x + SNMP on FreeBSD 8.2 routers/firewalls with cacti monitoring, I'll contribute what I can. I doubt we'll see a section on squid as it's really a niche area but it's always good to have something on the list so folks doing a search can find something useful. If it's going to be a few days before you get into the heavy lifting I'll try to send something directly or maybe a link to this list this weekend. You said you had notes from doing a 2.x installation, are you installing 3.x? . I'm sticking with 2.7.STABLE9 for storeurl support in some places and considering 3.x in others. 3.2 introduced SMP support but you can achieve pseudo-SMP support by running multiple instances on the same machine...just remember each instance has its own RAM and disk cache, which sort of kills the performance. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Help: Looking to contact someone running FreeBSD on ESX
On Fri, Feb 25, 2011 at 12:52, Mark Felder f...@feld.me wrote: The ones that crash are usually our main webservers (Apache, PHP, no MySQL locally though). We have LOTS of IPs on them and they do a ton of network traffic, but usually don't have a super high load average (maybe .75 - 1.0 on a normal day?). Currently we're running 8.1-RELEASE on them. Just as a note regarding that load average and ESX. I've noticed that none of my FreeBSD VMs report a *true* load average on ESX. The CPU hardly ever spikes (particularly on some snort listeners) but ESX shows the VMs as being CPU-bound the better part of the day. You may want to take a look at what the ESX performance charts are showing during your heavy usage periods and particularly before things go pear-shaped. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: qmail or postfix?
On Tue, Feb 1, 2011 at 09:32, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list. Who is better, qmail or postfix? thanks in advance That's a loaded question. Both have advocates, just like vi or emacs, Linux or Nothing, FreeBSD or OpenBSD, OS X or Windows and X Window System or CLI. That said, if you know neither and your requirements are met by both of them, I'd opt for postfix. It isn't as burdened with dependencies and, from what I can tell, it enjoys a larger, more active support community. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF firewall rules and documentation
On Mon, Jan 31, 2011 at 05:58, Da Rock freebsd-questi...@herveybayaustralia.com.au wrote: Yes. Me unfortunately, but I did manage to pick it up quite quickly though. I had a little thief attack one of my ports and attempt login on the firewall. I had to change it to 'block in $log on $ext_if all block out $log on $ext_if all' to actually block the traffic. Bit of a doozy really, I'm still monitoring the traffic very closely with tcpdump on the interface and not the log. Unless you have an explicit need to block in/out, it's easier to maintain a ruleset that uses block log on $ext_if For example, I use the following as a starting point for some of my routing firewalls: = int_if=bge1 ext_if=bge0 set skip on lo # block everything block # NAT rule pass out log(all) on $ext_if from ($int_if:network) to any nat-to ($ext_if) # allow traffic in on the internal interface pass in on $int_if from ($int_if:network) to any keep state = There are at least three things in that basic config that some people would jump on me for. 1) why block all if I'm then allowing every in on the internal interface? 2) why block all if I'm allowing everything out on the external interface? 3) why not pass everything on the internal interface and then filter on the external? The shortest answer is because I happen to like that starting point and it serves as a syntactical reminder if I deploy without a pf reference handy. Regarding 1) and 2), the longer answer is that I like to control traffic flow. I don't want to allow inbound connections on the external interface and I don't have a need for the firewall to connect to machines inside the NAT. On my bridges I'll set skip on the internal interface and filter on the other but I don't like doing that for a router. There are some plans to update PF to a more recent version. So may be it will be better. Actually, that sounds like a better idea than mine ;) Kills 2 birds with one stone then... I am truly excited about this as the NAT and RDR stuff was significantly cleaned up (and the OpenBSD pf FAQ is a great resource). I'm even more excited about the patch to tcpdump that Daniel just sent to freebsd-pf@ that allows you to tcpdump a pfsync device and pull the state creation/updates - in my opinion, that's the weakest area for a BSD firewall (we'll ignore span ports on routers since you can bridge two addressed interfaces and create a span of that bridge) and being able to easily pull those NAT translations fulfills some serious accountability issues. If you need a reliable printed reference, you should really consider picking up Hansteen's _The Book of PF_, available from No Starch Press: http://nostarch.com/pf2.htm I have the first edition and it's incredible but somewhat dated. The author suggests the second edition for FreeBSD 8.x+. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Managing ESXi from FreeBSD...
On 24 January 2011 13:42, Outback Dingo outbackdi...@gmail.com wrote: loose ESucksXi and install XCP 1.0 and for management xencenter / openxencenter will run on FreeBSD, I wish I could recommend XCP and/or Xen to the average user but trying to install FreeBSD 8.1-amd64 in Xen, even running in HVM, doesn't come close to the boot and go ease of FreeBSD in VMWare products. That opinion may change once I get a template similar to the provided Linux templates but until then, as far as I'm concerned, Xen can't touch ESXi. I would *love* for someone like RootBSD, who specialises in FreeBSD on Xen, to come through with tips on how they get it to work so well. In a stock install, running in an HVM environment, I get boot failures approximately two-thirds of the time, *usually* right after the ACPI APIC TABLE Xen HVM line but it does vary. By boot failure I mean vCPU usage drops to 0% for at least 10 - 15 minutes before I give up and reboot. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: The book of pf...
On 19 January 2011 02:28, Christer Solskogen christer.solsko...@gmail.com wrote: On Tue, Jan 18, 2011 at 7:35 PM, Kevin Wilcox kevin.wil...@gmail.com wrote: 1) Definitely get the first version Oh, why? Because Peter made mention on misc@ that the second edition was geared towards OpenBSD 4.8 and the version of pf that's in FreeBSD is quite a bit older. http://marc.info/?l=openbsd-miscm=128938065524891w=2 kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: The book of pf...
On 17 January 2011 23:37, Modulok modu...@gmail.com wrote: Or perhaps someone could suggest something else? I read the examples and basic handbook for pf, but wanted a bit more. I'm going to be tacking a firewall project coming up and need to be well prepared. Suggested readings appreciated. 1) Definitely get the first version 2) Definitely pick up the book. While the OpenBSD FAQ is *extremely* useful, you don't always have access. This is the single best pf reference I've seen. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD Decision
On 14 January 2011 14:19, Tim Daneliuk tun...@tundraware.com wrote: On 1/14/2011 12:46 PM, Alessandro Baggi wrote: Hi list, I don't want make a flame post but I would ask an objective opinion, then not a camp opinion, about using FreeBSD or Debian Linux in a production environment snip IOW, your selection has less to do with the OS kernel and more to do with the set of tools, applications, and hardware that surround the OS. If all things are equal, I prefer FreeBSD because it has a smaller footprint on the hardware and is easier to install/maintain than Linux. However, whether we like it or not, there is far more commercial and third party support for *some* linux distros (RHEL and SLES). I agree completely with what Tim has said. I'm not in that large of an environment (but not terribly far from it) and we run a mix - Windows for some things, various Linux distributions where it makes sense, FreeBSD and OpenBSD in other areas. There is never one solution that fits every scenario in a large environment unless you provide one set of services and make it a point to specialise on offering those services on one platform. Given what you've told us, if it really does come down to Debian or FreeBSD, it sounds like you don't need much in the way of third party stuff. In that case, I'd use FreeBSD. Indeed. From the sound of it, everything he needs is available in ports and can be broken into roles for management by a combination of something like puppet and OSSEC (I like the FIM component). As a general rule, unless Linux is required for hardware support or because foo application runs better on Linux, I'll opt for one of the BSDs. However, that is MY personal opinion...if everything else is equal and it's a true toss-up, I'd recommend you go with the OS you're the most familiar with hardening and managing. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot?
On 5 January 2011 10:47, Jerry Bell je...@nrdx.com wrote: There could be reasons you aren't seeing a spike, such as you're only looking at traffic processed by the MTA, or it simply doesn't show as a material increase on a graph of traffic on the network interface if the server is busy. Those are good points and to go a little further regarding looking at traffic... To really see what your machine is doing, consider taking a look at the network flows. pfflowd, netflowd, ipaudit and a host of others can get you flow data with mostly minimal overhead. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot?
On 5 January 2011 13:25, David Brodbeck g...@gull.us wrote: On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox kevin.wil...@gmail.com wrote: To really see what your machine is doing, consider taking a look at the network flows. pfflowd, netflowd, ipaudit and a host of others can get you flow data with mostly minimal overhead. Also, keep in mind that depending on how badly the machine has been compromised, you may not be able to trust the output of utilities running on the machine itself. You may have to resort to capturing its network traffic on another machine for analysis. That's an excellent point. A span port from the upstream switch/router would be ideal unless you've verified, through mechanisms external to the machine (known good test media), the tools on that machine are trustworthy. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD IPSec stack contains backdoors?
On 17 December 2010 10:36, Mike L jackoro...@gmail.com wrote: Reads like an unacceptable response to an issue that seems quite critical. Here, let me re-iterate for those that may not have a copy of what you're saying is unacceptable in front of them: o we're aware there's talk about some projects possibly having been compromised a decade ago o we have ports of those projects in our project o the code that ends up in FreeBSD from those other projects rarely resembles the original project's code o in the porting process, bugs may unintentionally be introduced or removed o bugs present in the upstream project may not be found in FreeBSD's version o people are welcome and encouraged to look at the FreeBSD code, provide fixes and/or decide for themselves if they want to use it What more do you want them to say? How is this is not a perfectly reasonable response? Cutting security-officer@ out because I'm pretty sure Colin reads this list. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf + NAT + log
Hi everyone. This is probably better suited for freebsd-pf@ but I'll give it a go before spamming YAML. I'm testing NAT on FreeBSD 8.1. My setup is very simple: My workstation - { internal network switch } - FreeBSD 8.1routing firewall with squid 3 - { switch going to Internet } My pf configuration is a bare minimum for passing everything and logging at every stage I can think of. I'll start filtering after I get this sorted out. pf.conf: === ext_if=bge0 int_if=bge1 rdr pass log(all) on $int_if proto tcp from any to any port 80 - 127.0.0.1 port 3128 nat pass log(all) on $ext_if from $int_if:network to any - ($ext_if) pass log(all) on $int_if pass log(all) on $ext_if === If my internal workstation is 10.201.201.1, the external interface on my FreeBSD machine is 10.100.100.1 and I ssh to a server at 10.1.1.1, the connection works. On the server I get a connection on port 22 from the FreeBSD router on source port 3. This is confirmed by netstat and tcpdump on the server. On the workstation, tcpdump and netstat confirm a connection from the workstation to the server; destination port is 22, source port is 1. On the FreeBSD router, 'pfctl -s s' confirms: all tcp 10.201.201.1:1 - 10.100.100.1:3 - 10.1.1.1:22 ESTABLISHED:ESTABLISHED Here is where my problem sits. If I do a tcpdump of the pflog, I get an entry from my workstation to the server showing communication from port 1 to port 22. I get an entry from the FreeBSD router to the server, from port 3 to port 22. What I don't get, and what I desperately need, is a way to show that the connection from the FreeBSD router to the server is on behalf of my workstation. Have I missed something in the NAT configuration that logs the actual translations? Can you configure pf to log similar to the output of pfctl where it shows something like: time protocol stuff 10.201.201.1.1 10.100.100.1.3 10.1.1.1.22 TCP stuff Basically, I need to log all of the translations such that if I have five internal machines all ssh to one server around the same time, and the server admin comes back and says, one of your users tried to login as root from port 12345, I can go back and look at the pflog and say, oh, that connection was a NAT translation from workstation. Thanks! kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: router / firewall with PF and carp.
On 1 October 2010 05:29, krad kra...@gmail.com wrote: In my experiance freebsd should work fine. However I would say openbsd is probably better suited to your needs, due to its tighter security model (auditing) Krad, I was under the impression that 'audit' from TrustedBSD is built into FreeBSD. Is there a facility in OpenBSD that is better or is there something in 'audit' that is lacking? Thanks! kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: router / firewall with PF and carp.
On 1 October 2010 10:16, Daniel Bye freebsd-questi...@slightlystrange.org wrote: On Fri, Oct 01, 2010 at 09:40:56AM -0400, Kevin Wilcox wrote: Krad, I was under the impression that 'audit' from TrustedBSD is built into FreeBSD. Is there a facility in OpenBSD that is better or is there something in 'audit' that is lacking? I think krad is referring to the well-publicised code audit that the OpenBSD project conducts, rather than the TrustedBSD audit framework. As far as I know, OpenBSD doesn't have anything comparable, but it's a long time since I looked at it, so I might be typing out of me ear... Dan, that makes perfect sense. I'm working up a BSD presentation for the local LUG next week and the latest compare/contrast I was working on was SELinux/GrSecurity/Pax versus TrustedBSD; my brain immediately parsed auditing as an audit trail, not the immense code audit for the base system. Thanks for the reality check!! kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Intel video Driver
On 22 September 2010 13:16, jorge espada espada.jo...@gmail.com wrote: I need my laptop to work..so I removed freebsd 8.1 and installed gentoo so I can't post the output of pciconf -lv, but I want freebsd...so if anyone knows how to sort this problem please share... To resolve a combination dual-head, Nvidia, Virtualbox and 8GB ram issue I had, I had to move to Gentoo and run FBSD in a VM for those times I wanted to use FBSD for something. It isn't the cleanest solution but it works for me, both under Gentoo in the office, VMWare Fusion on the Macbook and Windows 7 at home. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: CARP and freebsd
On 3 September 2010 10:37, gahn ipfr...@yahoo.com wrote: Is carp a part of freebsd 8.1? or I have to download from somewhere and install it? Everything you could want to know about CARP and FreeBSD: http://www.freebsd.org/doc/handbook/carp.html On my 8.1 box - fbsdsroute0# sysctl net.inet.carp.allow sysctl: unknown oid 'net.inet.carp.allow' So I can't say for certain but I would hazard the guess that it is not included in the GENERIC kernel. Alas, there is documentation for rebuilding your kernel, too: http://www.freebsd.org/doc/handbook/kernelconfig.html kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: vmware and freebsd 8
On 28 July 2010 00:47, kalin m ka...@el.net wrote: messing around with vmware and fbsd 8... has anybody used vmware esxi 4 to put a bunch of fbsd machines on it? i also installed the vmsphere client (they call it) which is pretty nice interface to interact with the virtual machines but apparently doesn't know much on how to install vmware tools on a bsd guest. We use paid-for ESX, not ESXi, but that shouldn't make a difference. FreeBSD 8 and ESX play great together, at least in my circumstances. Setups are pretty generic - minimal installs + ports with different VMs for subversion, apache, postgresql, OSSEC, netflow collectors, snort and even a few virtual FreeBSD firewalls. Overall I couldn't be more pleased. so the question is which vmware tools should i get for the fbsd 8 guests to go with the esxi 4.1. in the ports there are vmware-tools6, 5, 4, 3. tried six. it wants some disk. there is also the open-vmware-tools. is that open one better to play with the esxi 4.1 an the vmsphere thing? I install vmware-guestd6 from ports so I can eliminate all of the X libraries getting installed. ESXi should come with a freebsd.iso file that you can use for the tools install (I'm not one of our ESX administrators so I can't speak definitively but I did get an ISO from them for the tools installation). also is there anything better than vmware for virtualization that plays nice and with fbsd? The rumour is that FreeBSD does great as Xen domU but then you have to have a Linux or Windows dom0 (perhaps Mac OS X would work, too?). I'm doing a CentOS install right now, specifically to try FreeBSD under Xen. As someone else mentioned, VirtualBox and FreeBSD get along great though I'm not entirely sure *I* would use it for a production environment. I ran VirtualBox on a FreeBSD host with FreeBSD, OpenBSD, Linux, Windows XP and Windows 7 Ultimate guests and my issues were minimal. It's the only virtualisation software installed on this workstation. kmw -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: vmware and freebsd 8
On 28 July 2010 09:12, Steve Polyack kor...@comcast.net wrote: We've always used the open-vm-tools port (/usr/ports/emulators/open-vm-tools-nox11). There is both an x11 and nox11 version, both of which work very well. It also includes a handful of other drivers and modules, including the memory balloon driver. If you only intend on using the vmware-guestd, vmxnet, and/or vmmemctl (memory ballon driver), then you can build with -DWITHOUT_DNET -DWITHOUT_ICU -DWITHOUT_FUSE to eliminate a few more dependencies. Steve - that's excellent advice. I'll try out open-vm-tools-nox11 on one of my VMs this afternoon and see how it goes. Thanks!! kmw -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Virtualbox Networking Issues
On 15 July 2010 17:35, Chris Maness ch...@chrismaness.com wrote: I am not able to ping anything. I cannot ping the gateway or the host. I tried bridge, NAT, and host only. Can you provide the output of ifconfig and the contents of rc.conf from the virtual machine? (Purpose - to see if the interface exists, what it thinks its link status is and how it's supposed to get an IP) kmw -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router - large scale
On 28 May 2010 07:38, Bruce Cran br...@cran.org.uk wrote: This is possibly the wrong place to be saying this, but isn't OpenBSD usually recommended for routers? I believe the version of pf, for example, is normally kept more up-to-date than than in FreeBSD. The major downside I know of is that it's not nearly as user-friendly; for example my recollection of its installer is that you have to input sector offsets manually in the partition editor! Bruce - sorry for taking so long to reply, this project has been slow-moving. Yes, you are correct, OpenBSD is typically used in this situation and, if the project were strictly for a routing component, it may indeed be a better choice. My concern was that if we decided to add any proxy capability then we would need much more RAM than OpenBSD could address (this will front at least 8k users). I have found the OpenBSD installer to be quite friendly but that's probably because it is pretty minimal and just sort of clicks with me. As long as you're dedicating the system to *BSD, I generally prefer the OpenBSD installer for its flow but have found no particular allegiance with either their installer or sysinstall. As long as I can have a running system within four or five minutes of powering on with the install CD, I don't really care. kmw -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD router - large scale
On 27 May 2010 12:12, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: The hardest job I've had an OpenBSD firewall do is actually as a mid-level firewall between a DMZ full of web servers and a back-end database layer. The thing to watch out for is running out of states in PF. It's trivial to change that in the config, and given a machine with 1GB or so RAM dedicated to running PF, you can up the number of states by a factor of a hundred or more without problem. Also if you know all your connections are from directly attached networks and very low latency, you can be a lot more aggressive about dropping old states. Matthew - thanks for the information! For other reasons I'm limited to about 500k states...since our typical hardware build has at least 4GB of RAM, I'm not overly concerned about RAM exhaustion when routing. As I stated in another post the potential for something like a squid cache does exist, in which case I'll take all the RAM I can get my hands on (a 16GB+ build is not out of the question at that point). Preliminary testing has been favorable. My big concerns have mostly been related to state and packets per second. The first test environment was as follows: | one NIC, 4 routable addresses | | -- | FreeBSD 8 Router | -- | | one NIC with aliases for | 10.10.10.254 | 10.10.20.254 | 10.10.30.254 | 10.10.40.254 | |switch| Attached to the switch are four workstations/laptops: 10.10.10.1/255.255.255.0 10.10.20.1/255.255.255.0 10.10.30.1/255.255.255.0 10.10.40.1/255.255.255.0 All connections are gigabit. The idea is that in a production environment, we'll have multiple /22 networks coming in so I wanted to test having multiple network aliases. There will be a pool of public addresses for the outside interface(s), possibly as large as a class C but probably 20 - 30 addresses. By using sticky-address on a NAT rule, we can watch each RFC-1918 address get mapped to a different outside address via round-robin while enforcing that all connections from one inside host are consistently mapped to the same external address. Generating 10k active pings on each of the workstations/laptops, we were able to get an idea of how the machine would respond with 80k active states (two per connection, one in each direction). Adding in a couple of BitTorrent and HTTP .iso downloads only supported the conclusions we were beginning to form. Currently I'm testing it with multiple BitTorrent downloads and a very lively World of Warcraft installer. While nowhere near an indication of what we could expect in production it is showing us RAM usage, processor usage and state maintenance behaviour that gives us pretty good indications that we can go ahead and test in a larger environment. Like I said, we are otherwise limited to approximately 500k states (actually 250k connections) and only about half of that will be allotted for the population this project is targeting so testing with 100k states is actually pretty realistic at this point. We will wait, of course, to attempt a production deployment until after we have tested with a larger sample of the target population. Thanks to everyone for their comments and suggestions, both on and off list! kmw -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Add watermark to PDF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1 June 2010 10:15, John Almberg jalmb...@identry.com wrote: I would like to add a customized footer (a stamp or watermark) to an existing PDF, like the guys at Pragmatic Programmers do with their PDFs. I used to do something similar using the fpdf/pdftk toolkits. http://www.fpdf.org/ http://www.accesspdf.com/pdftk/ kmw -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.10) iEYEARECAAYFAkwFGGAACgkQsKMTOtQ3fKGfkwCfQyJSOON7k6liWggyYV2P+rKC OokAn3jpAWqarsvenlRKyThR0/DryaKe =6v3V -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD router - large scale
Hello everyone. We're in the very early stages of considering [Free|Open]BSD on commodity hardware to handle NAT *and* firewall duties for (what I consider to be) a sizable deployment. Overall bandwidth is low, only a gigabit connection, but we handle approximately fifteen thousand devices. DHCP and DNS would be passed through to other servers, this hardware would only be responsible for address translation and pf. I've done this on a very, very small scale (small/home office, small business) but I'm curious how many other folks are doing it on this scale, the hardware they are running on and any gotchas they may have faced. Does pf on FreeBSD take advantage of multiple cores/SMP? Is it preferable, as with OpenBSD, to go for a very stout processor without much consideration to cores? Would freebsd-net@ be a better place to ask this? I'm getting ready to start digging in to memory and other resources needed based on available documentation but real-world usage is much preferred to my academic assessment. Thanks! kmw -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Virtualbox on Freebsd
On 4 March 2010 14:15, Paul Schmehl pschmehl_li...@tx.rr.com wrote: I'm trying to build it from ports right now and running into all sorts of issues with qt4 stuff. This doesn't exactly inspire confidence when it comes time for me to do my next round of updates. I remember running into an issue with qt when building Virtualbox but I *believe* a forced removal of everything qt related and letting it start the process from scratch fixed the issue. I'll keep better notes next time :-\ kmw -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Root exploit for FreeBSD
2009/12/10 Anton Shterenlikht me...@bristol.ac.uk: From my information security manager: FreeBSD isn't much used within the University (I understand) and has a (comparatively) poor security record. Most recently, for example: http://www.h-online.com/security/news/item/Root-exploit-for-FreeBSD-873352.html Wow. Just...wow. FreeBSD's security record, the rate at which fixes occur, the ports system and the overall sanity of the environment is *precisely* why we have been migrating from RHEL to FreeBSD at my University (I'm employed by the University, not a student). I would be quite curious as to which operating system is serving as the baseline for this comparison. I would also be quite curious as to whether the manager making said statement is responsible for central IT services or is locked into providing services by a particular vendor. kmw -- Beware the leader who bangs the drums of war in order to whip the citizenry into a patriotic fervor, for patriotism is indeed a double-edged sword. It both emboldens the blood, just as it narrows the mind. And when the drums of war have reached a fever pitch and the blood boils with hate and the mind has closed, the leader will have no need in seizing the rights of the citizenry. Rather, the citizenry, infused with fear and blinded by patriotism, will offer up all of their rights unto the leader and gladly so - Unattributed, post 9/11 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Root exploit for FreeBSD
2009/12/10 Anton Shterenlikht me...@bristol.ac.uk: I was just stressed after being forced by him to explain why I wanted firewall exceptions for two ports to my FreeBSD portscluster nodes. I explained the reasons and that was settled. Anton, I don't know about the UK, Great Britain or England, but in US Universities, this is fairly common. It just serves as a sanity check for the many, many requests central IT tends to get regarding allowing ingress traffic for faculty/staff machines, and it gives the firewall guys documentation that such-and-such machine should be receiving inbound traffic on specific ports. The Uni is, of course, addicted to Microsoft, but having realised all the problems with that, lately the policy has been to deny (!) MS users admin access to their own desktops. The situation is just ridiculous - if a MS user wants to install a piece of software on their PC he/she has to ask for permission, and then wait until some computer officer would come and do install for them. Again, I don't know about the UK, Great Britain or England, but in the US this is also quite common, at least with regards to University owned hardware. The first responsibility is to protect the network and existing services. Sadly, many groups fail to provide the next step, that being a relatively quick, easy way to have approved software installed for users, and a method for having non-approved software scrutinised and either approved or rejected. Also recently, well.. about a year ago, no host (!) could be accessed from outside the Uni firewall. Special exception has to be obtained even for ssh. There is only one dedicated sun server which accepts only ssh. The users are supposed to dial to this frontend server first, and from there to hosts on the local net. Again, quite common. Most Universities here do not provide public-facing IP addresses without some sort of application and approval process. For example, we have a handful of machines that are public facing but most of our hardware sits inside site-only networks. To access those machines you either have to be on-campus or you have to connect via VPN (and yes, we support Windows, Mac, Linux, Solaris, *BSD). Having an SSH proxy isn't an entirely bad idea, though I can see where performance may be hindered. I had to fight a long battle, well.. I had some support from other academics, to have a linux class in my Faculty. Here the opposition wasn't so much security, as why would any undegraduate need linux, as if MS solutions are a pinnacle of human thought. That's a pretty fair question and one that I hope you would have asked yourself before you made the push for the class. And from I understand it's going to get worse. Apparently the IT services are drawing up plans to completely forbid use of non-autorized OS. I imagine fbsd will not be authorized. So I'm anticipating another battle already. Does this extend to computers used for academic research, student owned computers being used on campus, etc? Perhaps it's because we're conditioned to think this way but a lot of us at universities in the US see a lot of this as being commonplace and to *not* do them is generally considered bad security practice. kmw -- Beware the leader who bangs the drums of war in order to whip the citizenry into a patriotic fervor, for patriotism is indeed a double-edged sword. It both emboldens the blood, just as it narrows the mind. And when the drums of war have reached a fever pitch and the blood boils with hate and the mind has closed, the leader will have no need in seizing the rights of the citizenry. Rather, the citizenry, infused with fear and blinded by patriotism, will offer up all of their rights unto the leader and gladly so - Unattributed, post 9/11 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: CMS
Paul - I used to work with the guys at Appalachian State that did phpWebSite (I was their SA) and it worked great on FreeBSD. I can't say how well it works *now* but it ran fine as of a year ago on Apache2 + PostGreSQL. As far as a CMS or application framework went, it was a cinch. I just never could get into the others. kmw On 15/10/2009, Paul Schmehl pschmehl_li...@tx.rr.com wrote: I manage a couple of FreeBSD servers for a friend. He's gotten all excited about content management and thinks that's the way to go. The system he's familiar with is Windows only. I've done a little research, but I'm wondering if anyone reading the list has experience with a CMS on FreeBSD - one that's in ports preferably. Pros? Cons? Any known security issues? Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ** WARNING: Check the headers before replying ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Sent from my mobile device Whenever there is in any country, uncultivated lands and unemployed poor, it is clear that the laws of property have been so far extended as to violate natural right. The earth is given as a common stock for man to labour and live on. -- Thomas Jefferson, 1785 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Show bandwidth usage by IP address (through pf)
2009/10/7 Maxim Khitrov mkhit...@gmail.com: I have pf filtering traffic to our network. Is there any easy way to see the current bandwidth usage sorted by ip? Someone is using up almost 100% of total bandwidth and parsing pfctl -ss -v isn't getting me anywhere. It's overkill and does a ton more than what you're asking for...but have you looked at ipaudit? Or, more specifically, ipaudit-web? I ended up installing apache/gnuplot/etc from ports but installed ipaudit from source as the version in ports is *incredibly* outdated. kmw -- Whenever there is in any country, uncultivated lands and unemployed poor, it is clear that the laws of property have been so far extended as to violate natural right. The earth is given as a common stock for man to labour and live on. -- Thomas Jefferson, 1785 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org